You Can’t Learn Anything From a Pop-Up.

But you can learn a lot from our blog. Subscribe to our weekly newsletter to get the latest in learning.

Don't Hate Chip Credit Cards. They Keep You More Secure.

January 9, 2017

In early 2016 I received a new bank card, one with the little silver square that means it has a chip in it. In the same envelope was a letter describing how this new smart bank card was going to help protect me in the fight against bank fraud, something I feel strongly about.

Later that month I saw a YouTube video of an old news broadcast from Indiana where a guy with $100 and some technical know-how made a device that could harvest people’s credit card numbers as he walked through a crowded mall. He even used it to turn his hotel key card into a clone of a credit card.

Those two actions caused me to raise two questions: did my smart bank card give me more security or more risk, and what would it take for “chipped” or smart bank cards to offer real improvement?

In my January 2017 course on Windows Certificate Services, I explored the process of using a smart card to log in to a computer network. In that process, there is a conversation between the card and the computer before the important information of passwords or certificates is disclosed.

The conversation goes something like this:

[Card] “Hi, I represent Scott and I would like to log into this network.”

[Computer] “Hi, card representing Scott. I will need proof that you deserve access to this network.”

[Card] “First I will need proof that I should trust you with Scott’s credentials.”

[Computer] “Here is a copy of my information as a network computer that you should trust. Also, give me a couple seconds and I’ll get this human standing here to type in your access PIN.”

[Card] “I’ll wait.”

Then the card and the computer become fast friends to allow a secure login. At the end of the session the computer and the card forget each other, as trust has to be established every time.

This seems to have an easy parallel to the exchange between a card and a cash register so I had high hopes for this smart debit card. If my debit card could verify the reader at the gas station before disclosing my card number, that could beat several different kinds of fraud.

Then I factored in people’s need for convenience. In our fast-paced society, we demand all things electronic to be instant. That transaction has to happen very quickly before most people would yank the card and start over. We seem to like a magnetic strip that holds all of the information, ready to disclose to anything close enough to read it quickly.

That’s when I saw it. I realized why smart bank cards had not eradicated all bank fraud. My smart card with an intelligent chip inside had two legacy features that ensured it would remain vulnerable. My card still had the card number printed on the front, and it still had the magnetic strip on the back. Adding secure technology didn’t improve anything so long as the vulnerable tech was still there.

A better solution – a world without magnetic strips on credit or debit cards

If we could get away from the magnetic strip, we could render card skimmers useless. The conversation between a smart card and a reader requires a few seconds of contact with that little metallic square. Simply passing by a skimmer at a gas pump wouldn’t reveal anything.

As a culture, we have ripped off the band-aid to move from analog TV to digital TV because it looks and sounds better. Decades before that we made the hard transition to convert car engines to stop using leaded gasoline. If bank cards are going to become more secure, we need to be ready to ditch the strip entirely.

Arguably, RFID should never have been allowed to happen in bank cards and they need to go too but that is a separate point. Merchants need to stop resisting the technology and manufacturers need to design cards and readers that work well every time.

We could even go so far as to establish something like certificates that would be issued to credit card readers, associated with the vendor’s merchant account. This would let cards know which readers they could trust. The back-end technology is available today. As consumers, we need to decide if fraud is an acceptable cost of convenience or if we are ready to see something better.

Oh, and we need to do something nice for the cashiers that are going to have to deal with all of us complaining that running our card takes 10 seconds instead of 5. Be nice to cashiers.